Ethical security reporting Safe-Connect

We use a coordinated vulnerability disclosure policy (also known as ‘Responsible Disclosure Policy’)
Safe-Connect considers cybersecurity of paramount importance, so it is important that its information and systems are secure.Despite our concern for the security of these systems, there may still be a vulnerability.
If you have found a vulnerability in one of our systems, we would like to hear about it so we can take action as soon as possible. We are eager to work with you to better protect customer data and our systems.
Therefore, we have adopted a policy of coordinated disclosure of vulnerabilities (also known as a “Responsible Disclosure Policy”) so that you can notify us when you discover a vulnerability.
This Responsible Disclosure Policy applies to all Safe-Connect systems.  If there is any doubt, we kindly ask you to contact us for clarification at infosec@catsanddogs.com.

What we ask of you

If you discover a vulnerability, we ask you to:

Reporting the vulnerability

  • Report the vulnerability as soon as possible after discovery. Email your findings to infosec@catsanddogs.com. You could also encrypt them with a PGP Key to prevent the information from falling into the wrong hands.
  • Provide sufficient information to reproduce the vulnerability so that we can resolve the issue as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be required for more complex vulnerabilities.
  • Leave your contact information so Safe-Connect can get in touch with you to work together to achieve a safe outcome. At a minimum, please leave your name, e-mail address and/or phone number. Reporting under a pseudonym is possible, but make sure we can contact you if we have additional questions.
  • To confirm that you have acted and will continue to act in accordance with this Responsible Disclosure Policy

Rules you must follow

  • Do not disclose the vulnerability until we have been able to correct the vulnerability. See below for possible subsequent publication.
  • Do not exploit the vulnerability by unnecessarily copying, deleting, modifying or viewing data. Or, for example, by downloading more data than necessary to demonstrate the vulnerability.
  • Do not use physical security attacks, social engineering, distributed denial of service, spam or third-party applications.
  • Delete all data obtained through the vulnerability immediately upon notification.
  • Avoid any actions that could potentially impact the proper functioning of the system, both in terms of availability and performance, but also in terms of confidentiality and integrity of the data.

Don’t apply the following actions:

  • Placing malware (virus, worm, Trojan horse, etc.).
  • Copying, modifying or deleting data in a system.
  • Making changes to the system.
  • Repeatedly accessing the system or sharing access with others.
  • Using automated scanning tools.
  • Using the so-called "brute force" of access to systems.
  • Using denial-of-service or social engineering (phishing, vishing, spam,...).
Actions under this Responsible Disclosure Policy should be limited to conducting tests to identify potential vulnerabilities, and sharing this information with Safe-Connect.
If, after the vulnerability has been removed, you wish to publish information about the vulnerability, we ask you to notify us at least one month before publication, and to give us the opportunity to respond. Identifying us in a publication is only possible after we have given our explicit approval.

What we promise

  • If you have complied with the above terms of the Responsible Disclosure Policy and have not committed any other breaches, we will not take any legal action against you.
  • We will respond to your report within a short period of time, if possible within 10 working days, with our review of the report and any expected date for resolution.
  • We will treat your report confidentially and will not share your personal data with third parties without your consent unless this is necessary to comply with a legal obligation.
  • We will keep you informed of the progress of solving the problem.
  • To thank you for any report of a security problem that is not yet known to us, we offer the opportunity to be listed in our "Hall Of Fame".
  • We strive to solve all problems within a short period of time.
  • We may choose to ignore low quality reports.
If you have any questions, we encourage you to address them to infosec@catsanddogs.com.
In case of doubt about the applicability of this policy, please contact us first via this e-mail address, to ask for explicit permission.We reserve the right to change the content of this Policy at any time, or to terminate the Policy.
This text is a derivative work of “Responsible Disclosure” by Floor Terra, used under a Creative Commons Attribution licence 3.0.